1. Field of the Invention
The invention relates generally to the field of communications. More specifically, the invention relates to computer networking.
2. Description of the Related Art
For mobile access, particularly where a laptop or other mobile information device is used, a designation known as xe2x80x9cMobile IP (Internet Protocol)xe2x80x9d has been developed. The Mobiles IP protocol allows a user to xe2x80x9croamxe2x80x9d from IP location to IP location by leaving a xe2x80x9cforwardingxe2x80x9d address where the user may be reached (i.e. where IP packets may be forwarded to), but currently ignores firewalls. Currently, Mobile IP defines three entitiesxe2x80x94a mobile node, a home agent and a foreign agent. The mobile node is the roaming client that seeks access into the network as if the mobile node were still within its confines in terms of its IP address. Through Mobile IP, the mobile node will be able to use a permanent IP address that it is assigned within the intranet when it is physically xe2x80x9chomexe2x80x9d regardless of where in terms of actual IP address the mobile node may have moved. Through a process known as registration, a forwarding address is left with the home agent. The home agent intercepts all packets destined for the mobile node and sends them to a xe2x80x9cforeign agentxe2x80x9d that is currently being visited by the mobile node. By adding another IP header to packets bound for the mobile node, the routing system will view the home agent as the. source and the foreign agent as the destination. Once at the foreign agent the packet can be delivered directly via data link mechanisms to the mobile node without resorting to resolving IP headers and without having to perform ordinary network layer routing.
In order for the home agent to have such a relationship with the foreign agent, the home agent and foreign agent must be directly reachable (i.e. without having to first traverse through a firewall or other impeding node). In many instances, such direct access is not desirable or not possible. For instance, if a mobile node is connecting (gaining Internet access) through an ISP (Internet Service Provider) which acts as the foreign agent, then it may be a breach of security to allow the ISP direct access to the home agent which presumably is located in the premises of a private network or intranet. From the standpoint of the private network, granting such access becomes cumbersome since a mobile node may connect through multiple and different ISPs. The problem is magnified when considering that more than one user may be mobile and attempting to gain remote access via a Mobile IP technique.
Mobile IP, as employed in the current state of the art, assumes that a single registration sets up a xe2x80x9ctunnelxe2x80x9d (i.e., data pathway) between the mobile node and the home agent Mobile IP assumes that the endpoints of the tunnel are mutually-trusting entities that can and are willing to share registration packets. It also assumes that the mobile node initiates the registration request.
However, in the remote access situation where the access is by a mobile node that has migrated outside a firewall, there may be several intervening entities, such as an ISP, which are not secure, trusting entities. Thus, there is a need for a mechanism that can allow a mobile node, regardless of the number, type of intermediary entities to the private network, to obtain a secure registration. Further, in a mobile node that normally obtains its xe2x80x9chomexe2x80x9d address, i.e., its IP address when within the private network through assignment by a server (such as DHCP), there is needed a home address discovery mechanism when the mobile node migrates beyond the private network.
A tunneling set-up protocol is defined so that the registration process may be chained in a compound tunnel which is composed of a plurality of segments. Each tunnel segment composes a registration request passing this along to the next tunnel segment until the endpoint is reached, at which point the registration request of a mobile node may be authenticated for data access to the endpoint. Further, a home address discovery mechanism provides a mobile node with the ability to discover its intranet IP address even though it has migrated beyond the intranet.